CLAIMS 



WE CLAIM: 

1 . A safety industrial controller receiving signals from electrical sensors on a 
safety process and providing signals to electrical actuators on the safety process, the 
safety industrial controller comprising: 

input circuits receiving input signals from sensors and transmitting them to 
logic circuitry before a first worst-case delay; 

logic circuitry receiving the input signals from the input circuits to create at 
least one output signal based on the input signals and transmitted to an output circuit 
before a second worst case delay; and 

output circuit receiving the output signal from the logic circuitry to output 
the output signal to an actuator before a third worst case delay only if the time 
elapsed since the input circuits received at least one of the input signals is less than a 
predetermined time limit, the predetermined time limit being less than the sum of the 
first, second, and third worst case delays, and otherwise the output circuit entering a 
predetermined safety state. 

2. The safety industrial control of claim 1 : 

wherein the input circuits repeatedly transmit the input signals to the logic 
circuitry at a predetermined repetition period less than the predetermined time period 
and ; 

wherein the logic circuitry creates the output signal at a repetition rate 
triggered by receipt of the input signals. 

3. The safety industrial control of claim 1: 

wherein the input circuitry includes a time stamp means creating a time 
stamp indicating a time corresponding to the receiving of the input signals by the 
input circuits; 

wherein the logic circuitry includes means for associating the output signal 
with one time stamp of the input signals so received; and 
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wherein the output circuitry includes means for providing an output signal to 
an actuator only when the output signal arrives at the output circuit before a time 
equal to a time stamp of a previous output signal plus a predetermined time limit. 

4. The safety industrial controller of claim 3 wherein the input signals are 
redundant input signals and the time stamping means creates the time stamp when 
the redundant input signals have coincidence. 

5. The safety industrial control of claim 3: 

wherein the input circuits repeatedly transmit the input signals to the logic 
circuitry at a predetermined repetition period less than the predetermined time period 
and ; 

wherein the logic circuitry creates the output signal at a repetition rate 
triggered by receipt of the input signals. 

6. The safety industrial control of claim 3 wherein the means for associating 
associates the earliest time stamp of the input signals with the output signal. 

7. The safety industrial controller of claim 3 wherein means for associating 
follows a user defined time stamp function indicating which of the time stamps of 
the input signal is associated with the output signal. 

8. The safety industrial controller of claim 3 wherein the input and output 
circuits have synchronized clocks. 

9. The safety industrial controller of claim 3 wherein the input and output 
circuits have asynchronous clocks and wherein the input circuit provides a value to 
the output circuit indicating an offset between the clocks of the input and output 
circuits and wherein the predetermined time limit is the sum of a maximum 
allowable propagation delay plus the offset value minus an uncertainty in the offset 
value. 
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10. The safety industrial controller of claim 1 wherein the first worst case 
delay includes a time to transmit the input signals on an electrical medium 
connecting the input circuits to the logic circuit. 

1 1 . The safety industrial controller of claim 1 wherein the input circuit 
includes a filter and wherein the first worst-case delay includes a filter rise time. 

12. The safety industrial controller of claim 1 wherein the second worst case 
delay includes a time to transmit the output signals on an electrical medium 
connecting the logic circuit to the output circuit. 

13. The safety industrial controller of claim 1 wherein the safety state 
provides a safety output value determined by a user. 

14. The safety industrial controller of claim 1 wherein the input circuits 
transmit the input signals to logic circuitry after a first average delay and the logic 
circuitry transmits the output signals to the output circuit after a second average 
delay, and the output circuit transmits the output signal to an actuator after a third 
average delay; and 

wherein the predetermined time limit is greater than a sum of the first, 
second, and third average delays. 

15. The safety industrial controller of claim 1 wherein the output circuit is 
implemented with a processor executing a stored program. 

16. The safety industrial controller of claim 1 wherein the output circuit is 
implemented with dedicated circuitry. 

17. A method of operating a safety industrial controller receiving input 
signals from electrical sensors on a safety process at input circuits and transmitting 
the input signals to logic circuits to produce output signals transmitted in turn to 
output circuits and then to electrical actuators on the safety process, the method 
comprising the steps of:: 
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at the input circuitry, transmitting received input signals to logic circuitry 
before a first worst-case delay; 

at the logic circuitry, creating at least one output signal based on the input 
signals and transmitting the output signals from the logic circuitry to an output 
circuit before a second worst case delay; and 

at the output circuitry, outputting the output signal to an actuator before a 
third worst case delay only if the time elapsed since the input circuits received at 
least one of the input signals is less than a predetermined time limit, the 
predetermined time limit being less than the sum of the first, second and third worst 
case delays, and otherwise the output circuit entering a predetermined safety state. 

1 8. The method of claim 17 including the steps of: 

the input circuits repeatedly transmitting the input signals to the logic 
circuitry at a predetermined repetition period less than the predetermined time period 
and; 

the logic circuitry creating the output signal at a repetition rate triggered by 
receipt of the input signals. 

19. The method of claim 17 including the steps of: 

creating a time stamp indicating a time corresponding to the receiving of the 
input signals by the input circuits; 

associating the output signal with one time stamp of the input signals so 
received; and 

providing an output signal to an actuator only when the output signal arrives 
at the output circuit before a time equal to a time stamp associated with a previous 
output signal plus the predetermined time limit. 

20. The method of claim 17 wherein the input signals are redundant input 
signals and the time stamp is when the redundant input signals have coincidence. 

21. The safety industrial controller of claim 19 wherein the output signals 
are provided to an actuator only when the output signal arrives at the output circuit 
before a time equal to a time stamp associated with a previous output signal plus a 
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first predetermined time limit and the output signal arrives at the output circuit 
before a time equal to a time of receipt of an immediately preceding output signal 
plus a second predetermined time limit. 

22. The safety industrial controller of claim 19 and the time stamp of the 
input signals associated with the output signal is the earliest time stamp of the input 
signals so received. 

23. The safety industrial controller of claim 19 wherein the time stamp 
associated with the output signal follows a user defined time stamp function 
indicating which of the time stamps of the input signal is forwarded by the output 
signal. 

24. The method of claim 19 wherein the input and output circuits have 
synchronized clocks. 

25. The method of claim 19 wherein the input and output circuits have 
asynchronous clocks and wherein the input circuit provides a value to the output 
circuit indicating an offset between the clocks of the input and output circuits and 
wherein the predetermined time limit is the sum of a maximum allowable 
propagation delay plus the offset value minus an uncertainty in the offset value. 

26. The method of claim 17 wherein the first worst-case delay includes a 
time to transmit the input signals on an electrical channel connecting the input 
circuits to the logic circuit. 

27. The method of claim 17 wherein input circuit includes a filter and 
wherein the first worst-case delay includes a filter rise time. 

28. The method of claim 17 wherein the second worst-case delay includes a 
time to transmit the output signals on an electrical channel connecting the logic 
circuit to the output circuit. 

29. The method of claim 17 wherein the safety state is an output determined 
by a user. 
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30. The method of claim 17 wherein the input circuits transmit the input 
signals to logic circuitry after a first average delay and the logic circuitry transmits 
the output signals to the output circuit after a second average delay, and the output 
circuit transmits the output signal to an actuator after a third average delay; 

wherein the predetermined time limit is greater than a sum of the first, 
second, and third average delays. 
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